[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ACL questions. Answered (long)

To: Buchan Milne <bgmilne@obsidian.co.za>
Subject: RE: ACL questions. Answered (long)
From: Diego Julian Remolina <dijuremo@math.gatech.edu>
Date: Mon, 15 Mar 2004 07:30:02 -0500 (EST)
Cc: Howard Chu <hyc@highlandsun.com>, openldap-software@OpenLDAP.org
In-reply-to: <Pine.LNX.4.33.0403121943510.23019-100000@isis.obsidian.co.za>
References: <Pine.LNX.4.33.0403121943510.23019-100000@isis.obsidian.co.za>

On Fri, 12 Mar 2004, Buchan Milne wrote:

> > access to attrs=userPassword,sambaLMPassword,sambaNTPassword
> >         by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
> >         by * auth
> >
> > # Allow users to change their login shell by themselves
> > access to attrs=loginShell
> >         by self write
> >
> > # Allow uid=Sambaroot to write any samba entries and objecClass to
> > children
> > # of ou=People.
> > access to dn.children="ou=People,dc=math,dc=gatech,dc=edu"
> > attrs=objectClass,sambaSamAccount
> >         by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
> >         by * read
> >
> > # Allow uid=Sambaroot to write the mentioned attributes in ou=Groups
> > access to dn.children="ou=Groups,dc=math,dc=gatech,dc=edu"
> > attrs=description,sambaSID,sambaGroupType,displayName,objectClass
> >         by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
> >         by * read
> >
> > # Allow uid=Sambaroot to write the objectClass and samba attributes to
> > # children of ou=Host
> > access to dn.children="ou=Hosts,dc=math,dc=gatech,dc=edu"
> > attrs=objectClass,sambaSamAccount
> >         by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
> >         by * read
> >
> > # Allow uid=Sambaroot to write to all children of ou=Idmap
> > access to dn.children="ou=Idmap,dc=math,dc=gatech,dc=edu"
> >         by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
> >         by * read
> >
>
> As I read this, it seems you allow Sambaroot to modify entries below
> ou=Idmap, but, since Sambaroot does nothave write access to ou=Idmap,
> surely you will get the "no write access to parent" error if samba tries
> to add an idmap entry? The same issue applies to ou=Hosts does it not?
> This would mean joining machines "on-the-fly" would not work ...

So far I have not found How to get samba to put an entry in Idmap.
Whenever I map Windows to Unix groups it puts samba attributes to my
already created unix groups in ou=Groups.  I still have not been able to
test this trhough samba.  However manually adding an entry using
uid=Sambaroot does show the problem, so we would need to change from:

access to dn.children="ou=Idmap,dc=math,dc=gatech,dc=edu"

to:

access to dn.subtree="ou=Idmap,dc=math,dc=gatech,dc=edu"

Note that this will allow uid=Sambaroot to add/remove entries under
ou=Idmap.

>
> > # Now we restrict uid=Sambaroot so that this user cannot erase things
> > access to dn.regex="ou=(.+),dc=math,dc=gatech,dc=edu"
> >         by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" read
> >         by * read
> >
> > # We also allow uid=Sambaroot to add the sambaDomainName entry under the
> > # database root (same level as rootdn).
> > access to dn.subtree="dc=math,dc=gatech,dc=edu"
> >         by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
> >         by * read
> >
>
> Don't you want to prevent uid=Sambaroot from making entries which aren't
> sambaDomain's? ie:
> access to dn.subtree="dc=math,dc=gatech,dc=edu"
> 	attrs=sambaDomain
>         by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
>         by * read
>
> But, then again we may have the "no write access to parent" ?

What you say is correct, adding attrs=sambaDomain gives you the "no write
access to parent":
--------------------begin test ---------------------------
Adding user root
New SMB password:

Retype new SMB password:

failed to add domain dn= sambaDomainName=DJR-TEST,dc=math,dc=gatech,dc=edu
with: Insufficient access
        no write access to parent
Adding domain info for DJR-TEST failed with NT_STATUS_UNSUCCESSFUL
--------------------end test------------------------------

>
>
> > # Then we grant access to read everything else.
> > access to *
> >         by * read
>
> Finally, I am wondering about supporting a multi-samba-domain
> implementation (yes, I know there are other ways) without duplicating
> ACLs. ie, how would I make generic ACLs work for this kind of setup?
>
> I have tried things like:
> access to dn="^(.*,)+ou=Hosts,(dc=.+,)+$$"
> 	attrs=objectClass,sambaSamAccount
>         by dn="uid=Sambaroot,ou=People,$2$$" write
> 	by * read
>
> (as far as I understand, something like this can only be done with
> dn.regex, not dn.children?).

I am not fully sure how to do this.  Maybe someone else can help. I also
believe that you cannot use dn.children to match
dn="^(.*,)+ou=Hosts,(dc=.+,)+$$".  That can only be done with dn.regex.

Diego

>
> Regards,
> Buchan
>

References:
- RE: ACL questions. Answered (long)
  - From: Buchan Milne <bgmilne@obsidian.co.za>

Prev by Date: Re: Matching Rules used in Inequality Filters
Next by Date: Re: Matching Rules used in Inequality Filters
Index(es):
- Chronological
- Thread